Cross Site Request Forgery (CSRF)

Polls are easy target for automation abuse. You can usually participate anonymously and the poll operator has an interest in drawing as many participants as possible, but as demonstrated by previous incidents such loose security enables hackers to distort the results.

This time a hacker succeeded in manipulating Time's poll for most influential people in 2009.

Update (Apr 19^th 2009) - The initial Mooney Twitter worm has evolved into a series of 5 worms at the time of writing, each exploiting a different vulnerability in Twitter. The latest one specifically focuses on twitter accounts who have a high number of followers thus targeting celebrities such as Ashton Kutcher and Oprah Winfrey according to Graham Cluley from Sophos.

Gareth Heyes (and others) reported an interesting vulnerability in Twitter last week. While his post included a proof of concept code, it does not qualify as a hack only a vulnerability disclosure and the Web Hacking Incident Database does not list vulnerabilities.

Luckily Giorgio Maone decided to create his own proof of concept, run it himself and provide us with the result, enabling me to label this as a hack

By exploiting a CSRF bug in twitter (or maybe a feature?) site owners can get twitter profiles of their visitors. For Twitter this is a second this year and now the comprise 50% of the web incidents for 2009. Is this going to be the year of Web 2.0 security?

The DNSchanger Trojan uses different methods to manipulate the DNS lookup of the victim. One of the most malicious techniques is using CSRF to attack the ADSL or cable router and modify its DNS tables.

More Information:

• McAfee: DNSChanger Trojans v4.0, Dec 4th 2008

Symantec reported an active exploit of CSRF against residential ADSL routers in Mexico (WHID 2008-05). An e-mail with a malicious IMG tag was sent to victims. By accessing the image in the mail, the user initiated a router command to changethe DNS entry of a leading Mexican bank, making any subsequent access by a user to the bank go through the attacker's server.

Additional information: